Slashdot Mirror
All We Want Is Whatever's On Your Machine
kubla2000 writes: "A breathless story about how the best defense against [fill in the blank: piracy, virii, hacking] is a good offense at CNet. What struck me most though is that in the midst of the rant from Timothy Mullen (no stranger to hacking the hack as this story from computerworld magazine shows, was a throw-away line justifying the RIAA and MPAA's appeal to Congress to make it legal to do this! It seems the bandwagons have started rolling. Who's next to jump on?"
If they should be able to run code at our computers, they increase the security risk, since viruses may exploit these programs.
policy to me.
This can't be a good thing: just think of
the court cases, and the added burden on the legal system.
Imagine a scenario like this:
Company A, B, and C are infected with viruses.
Company A tells Company B to "santize your systems, and stop infecting us, !". Company B has santizied it's system, and tells Company A to "go pound salt".
Company A, unknowingly infected by Company C but still blaming Company B shuts down Company B's system. Company B is not happy.
Company B manages to bring it's system back up, and shuts down Company A in retribution.
Lawsuits ensue. The courts, which could be ruling on citizen's issues instead, (like, say, overruling the DCMA), become backed up with corporate bickering. The citizens lose. Ugly situation.
And that's not touching on any of the questionable ethics of government sponsored vigilantism. I'll
leave that flamewar to others -- I imagine things will get quite toasty.
I thought it was fairly well balanced actually. Outlined the problems of "hacking back" in language that everyone can understand...
Wouldn't any DOS-attack against an alleged "offender" also hit the bandwidth/resources of all the innocent systems along the way? I'm not sure how this wouldn't create lots of collateral damage for people who aren't involved.
We've already seen something akin to this, at least on a small scale.
:P
Working as a telephone tech support person for a non-tech sector company, Klez was particularly annoying as we would get angry telephone calls from our own corporate executives about how our server based antivirus program wasn't working, as they were getting angry emails from people at other companies telling them to stop sending them the Klez virus.
All because the damn thing sent false header information and someone outside both companies had been infected, people would continue to blame the wrong parties when their own antivirus program would point them at the wrong culprit, despite all the media stories explaining the damn thing in clear detail.
We had a number of execs refuse to believe us when we told them their machine was clean, as "obviously" we were wrong according to the people at the other company. Even had one high up try to install her own antivirus program because she didn't trust ours and ended up trashing her computer.
I just loved the whole telephone support deal during the peak Klez season.
"Well, his computer pinged me a few times, so I used a buffer overflow to gain access to his machine, and formatted his harddrive."
As you can see, there are two issues that are left unresolved: what defines an illegal attack, and what defines an appropriate "counter attack".
As for this falling under a self-defense part of the law, I would suggest looking at the goal of self-defense: stopping an attack against you. Self defense does not mean kill someone, does not mean detain someone, or anything else. Although it is possible that those could be necessary in an act of self defense, in most cases they are not.
With all this in mind, take a look at how you can stop the attack on you. The best way would be with a firewall or patching the problem. From there on, you should report the problem to the authorities (ala "real life"), probably being the machine's isp, and possibly the police/fbi.
Vigilanties are not protected by the law, and their best hope is to convince a jury/judge that they were doing the "right thing". Unfortunately, most of them aren't qualified to make that decision :]
If hacking is illegal, only criminals will hack.
To protect ourselves, we need to make justified hacking legal!
God knows the world doesn't have enough hackers.
Now, seriously... if it's possible to do something nasty, like spreading a virus or disabling a remote system, someone will do it - regardless of what the law says. This is true of all laws, whether we like it or not. There are two important differences in the 'digital' world:
- The Internet is such a hopelessly confused tangle of metaphors that often we have trouble telling exactly how our normal ideas apply.
- The Internet is not like the physical world, and often our ideas don't apply.
Now, the point here is that while laws can help protect the Internet, the actual solution - perhaps the only solution - is for our machines to protect themselves. No - that's the wrong metaphor. There's no reason a computer needs to start running a bit of malicious code just because of a bunch of bytes it happens to read through the network. Our computers can only be hurt by others if they themselves allow it.
Unfortunately the back door was open to everybody.
.ini file was fun but managed all of this. Its a good thing the 'bad hackers *dont abuse me for claiming crackers are hackers too - they are usually just stupid hackers whove found something they can take over the world with*' are also usually also stupid people.
True, back when I first used my Windows machine NetBus was popular in a chat room I visited. A girl I got to know sent me the server part so I could let her see what other people were seeing on her computer (NetBus was actually being run willingly by her as it was a fun thing to do) and being an old computer geek felt safe doing this. 5 minutes after getting the 'patch.exe' and running it, I found the client part online *google wasnt even around then - go webcrawler* and figured it out enough to connect to her computer and do more to her than she could do to me (ie control and execute other programs and lock her out of my computer *she actually complained that noone could connect to my computer and that I wasnt running the server until I gave her the password and watched the many computers connect*). I had to guess the password to her computer of course but the person who sent her the file put her kids name as the password which happened to be the only thing I tried. I ended up changing the password and telling her to not take any more files no matter how much fun they were if she wanted to maintain privacy (it wasnt just to pop the cd in and out as she claimed). I honestly didnt know what a 'port' was at that time and thought hacking an
If you like laughing at crackers youll probably like that story.
Pixels keep you awake!
Using his technique, the computer that launches an attack is paralyzed and requires an administrator to restart it, but it stays online and is not otherwise harmed, said Mullen, who is a columnist for SecurityFocus.com
Requires an administrator to restart it? Do they mean it basically crashes and has to be rebooted? How does that do anything to solve the virus? Sure it temporarily disables it, but if it's a 9x/ME box there is no "administrator" and if it's NT/2K/XP there may be many people with admin rights. Furthermore, your average grandmother-using-aol-on-her-emachine would have no idea what to do, or that she has a virus, or what a virus is. Temporarily disabling machines doesn't do anything to solve virus problems. The only thing that will solve virus problems is educated computer users, and that is unlikely to happen anytime soon.
Consider. Anything you write is protected by copyright automatically.
Let's suppose you write an email. While it shouldn't be necessary, perhaps you might include an explicit restriction in the body of the email, or at the bottom like lawyers often do: "This material is copyright by the sender and may not be reproduced in whole or in part by any means, including but not limited to reproducing on paper via a printer, forwarding to any other mailbox, storing on punch cards, paper tape, magnetic tape, optical media, or any other machine-readable form of reproduction. If you wish to reproduce this item, licenses are available from the sender for a nominal fee."
Let's suppose you sent your email to the RIAA. They are entitled to exactly one copy, which will end up in the mailbox of the receptionist. This will pose a dilemma, which will probably be solved by violating your copyright.
You might find it necessary to take steps to protect your intellectual property.
I wrote a script on my server web server (that constently gets hit over and over by nimda... about 300 times a day it seems) to use the vonrobility against them.
It uses nimda vonrobility to hit them back and gives them hundreds of popup messages thruout their system, telling them to apply the patch and get some type of security (then the scripts delete themselves).It also applys an "at" command to launch a vbs file on their system to remisystem nd them to get a patch.Just anough to anoy them.
It work seems to work. I impliment this because I work at a very small ISP here in town hosting dsl lines. Our lines are always getting eatten up by nimda, even still. This way it saves on our bandwidth for everyone else to use. The funny thing is that it works. Traffic used by nimda on the network has gone down dramaticly because of it. We applied the program to all the gateways (since they are all linux boxxes). Just added Apache with my scirpt to fish out as many people as possible.
I love it. We get calls from customers yelling and screaming that they didn't have nimda and we prove it to them by emailing them the log file. Some are even thankful. Zac Bowling
No.
"An eye for an eye and the whole world would be blind." -- M. Gandhi
(And yes, I did write "M. Gandhi" because I don't know how to spell his first name)
-a
How to rationalize theft.
Bad editing leads to abrupt transitions. Here we go from "Striking back against a computer that is attacking you" with a worm to this:
Whah? Then we back off and contrast that approach (placing "destructive decoy digital files into peer-to-peer networks to penalize users") with the hack-back the story was really written around.
It's almost like the editor wanted to nod in the direction of the latest legislative "anti-hacker" move, whether or not it really had anything to do with his story. That's all. No "bandwagon." Just bad editing. Given the state of /.'s stories, we should relate.
"Fundamentalism" isn't about divine morality. It's about human authority.